These days, magnetic credit cards having a magnetic strip (MS) are used as the most common payment means. Magnetic credit cards include International Standardization Organization (ISO) standards of track 2 information. When a credit card including track 2 information is touched on a card reader, the card reader reads the track 2 information recorded in a magnetic strip and provides it to a finance company server such as a Value Added Network (VAN) server or a card company server, whereby a transaction for the credit card is processed.
Track 2 information included in a magnetic strip has a Primary Account Number (PAN) area for identifying a card, and the PAN area includes information about a finance company server that processes the credit card transaction.
Track 2 information is composed of a PAN area, an Expiration Date (ED) area, a Service Code (SC) area, and a Discretionary Data (DD) area, and the PAN area includes a Bank Information Number (BIN) for identifying a finance company. The BIN can be used to determine a target that processes a credit card transaction, such as a VAN server or a card company server.
However, because track 2 information recorded in a magnetic strip has a static value, there exists a risk of forgery or falsification. Also, while the track 2 information is transmitted from a card reader to a finance company server, it can be exposed outside. To reduce the risk of forgery or falsification, an electronic credit card in which an Integrated Circuit (IC) is embedded has been proposed. Electronic credit cards can generate a dynamic encryption value using an embedded IC, but in order to generate the dynamic encryption value, not only the electronic credit cards having the IC but also a card reader obtaining track 2 information from the electronic credit cards should be able to perform an encryption function. That is because existing transaction processing methods are performed in an infrastructure that is arranged for supporting payment of credit cards having a magnetic strip, and changing the infrastructure or constructing an additional infrastructure can be costly.
To solve the above problems, PCT application WO 2003/081832 discloses a method and system for conducting a transaction using a proximity device that improves security of a credit card having an existing magnetic strip by recording a dynamic authentication code in a DD area of track 2 information, which includes a PAN area, an ED area, an SC area, and the DD area, and by conducting a transaction using the dynamic authentication code.
FIG. 1 illustrates a concept diagram for a transaction conducting method of WO 2003/081832. Referring to FIG. 1, track 2 information is provided from a proximity device 10 to a reader 20. In this case, the proximity device 10 may generate a first authentication value in a DD area (optional area) of the track 2 information that is provided to the reader 20.
The first authentication value mentioned in WO 2003/081832 indicates a random authentication value recorded in the DD area.
Also, a second authentication value mentioned in WO 2003/081832 may mean a part of credit card numbers that are printed on the back of the card.
The reader 20 provides the first authentication value, which is provided by the proximity device 10, to a credit card issuer 30, and the credit card issuer 30 derives the second authentication value from the first authentication value. Then, when the first authentication value corresponds to the second authentication value as a result of comparison of the two values, the credit card issuer 30 completes the authentication, whereas when the two values do not correspond, the credit card issuer 30 determines that the authentication fails.
Basically, WO 2003/081832 tends to determine that security of the proximity device 10 is more reliable than that of the reader 20 obtaining track 2 information from a credit card. Accordingly, the proximity device 10 has hardware and software structures for generating the first authentication value.
WO 2003/081832 is advantageous in that a transaction system using a magnetic strip can be used because a dynamic authentication value is recorded in a user-defined DD area and a transaction is conducted using the recorded dynamic authentication value. However, in the case of a transaction system in Korea, which uses a Value Added Network (VAN) server, the dynamic authentication value proposed in WO 2003/081832 requires that the VAN server should perform decryption of a card number. Therefore, in the VAN server, system development and maintenance is required for decryption of the card number, and the VAN server needs to arrange an encryption key for decrypting the dynamically encrypted card number.
The encryption key should be provided from a card company server to a VAN server, and maintaining the encryption key in two or more servers (a VAN server and a card company server) can lead to security vulnerability.